Skip to main content
Products
Neo4j Community Edition - Hardened Native Graph Database
https://catalogartifact.azureedge.net/publicartifacts/lynxroute.neo4j-17ffdd28-b873-480a-a7e6-a70d350a4327/image0_Azureready.png

Neo4j Community Edition - Hardened Native Graph Database

by Lynxroute

Neo4j 2026.05.0 - CIS Level 1 hardened native graph database on Ubuntu 24.04, SBOM + CIS

What is Neo4j Community Edition

Neo4j Community Edition is an open-source native graph database written in Java that stores data as nodes and relationships instead of rows and tables, making connected-data queries fast and expressive. It is queried with Cypher, Neo4j's declarative graph query language, over the binary Bolt protocol or an HTTP API, and ships with the Neo4j Browser - a built-in web workbench for running Cypher and visualising the graph. The engine provides ACID transactions, index-free adjacency for constant-time traversals, native graph storage, schema constraints and indexes, and a procedure library. Typical uses include knowledge graphs, fraud detection, recommendation engines, network and IT operations mapping, and identity and access graphs. This image runs a single-node Community instance on OpenJDK 21, with the JVM heap and page cache sized to the VM at first launch. GPL-3.0 license, no vendor lock-in.

Why self-host Neo4j

Running Neo4j on a VM you control keeps every node and relationship - which often encodes sensitive customer, identity and transaction connections - inside your own tenant rather than a managed graph service. Self-hosting suits teams with data residency requirements, organisations operating under GDPR, HIPAA or ISO 27001, and any product where connected data must stay within your own perimeter with no per-query fees. The Community Edition is GPL-3.0, fully auditable, with no vendor lock-in.

What this VM image adds

Security hardening:

  • Random administrator password generated per instance at first launch - no default neo4j/neo4j credential - stored in /root/neo4j-credentials.txt (mode 0600)
  • Native TLS on the Bolt protocol (port 7687, encryption required) and the Neo4j Browser over HTTPS (port 7473), with a self-signed certificate generated at first launch and replaceable with your own CA certificate
  • Plain HTTP bound to localhost - port 7474 listens on 127.0.0.1 and is blocked by the firewall; only HTTPS 7473 and Bolt 7687 are exposed
  • JVM heap and page cache sized to the VM RAM at first launch
  • Neo4j Browser usage telemetry disabled
  • UFW firewall - TCP 7473 and 7687 open externally for buyer use, TCP 22 for SSH; all other inbound dropped; Azure IMDS and WireServer egress pre-configured
  • fail2ban - SSH brute-force protection
  • AppArmor - mandatory access control
  • CVE scan - every image is scanned with Trivy before release

OS hardening (CIS Level 1):

  • CIS Ubuntu 24.04 LTS Level 1 Benchmark via ansible-lockdown
  • auditd for system call auditing of critical paths
  • SSH hardening - PasswordAuthentication disabled, key-only access, PermitRootLogin no, LoginGraceTime 60
  • Kernel hardening - SYN cookies, ASLR, rp_filter, kexec disabled, IPv6 off
  • /tmp as tmpfs with nosuid, nodev, noexec

Compliance artifacts (inside the VM):

  • SBOM - CycloneDX 1.6 at /etc/lynxroute/sbom.json with Neo4j pinned by version, PURL, GPL-3.0 license, supplier, and hash
  • CIS Conformance Report at /etc/lynxroute/cis-report.html (OpenSCAP, Azure tailoring profile, 0 FAIL rules)
  • Tailored CIS profile at /usr/share/doc/lynxroute/CIS_TAILORED_PROFILE.md
  • Operator credentials file at /root/neo4j-credentials.txt (mode 0600) with the admin password, the Bolt TLS endpoint, and the Neo4j Browser HTTPS URL

Quick Start

  1. Deploy VM from Azure Marketplace (Standard_D2s_v3 recommended)
  2. Open NSG: TCP 7473 and TCP 7687 from your trusted sources, TCP 22 from your management IPs only
  3. SSH: ssh -i key.pem azureuser@<PUBLIC_IP>, then sudo cat /root/neo4j-credentials.txt for the admin password
  4. Open https://<PUBLIC_IP>:7473/browser/ in your browser and accept the self-signed certificate warning
  5. In the Connect dialog set the connection URL to neo4j+ssc://<PUBLIC_IP>:7687, then log in as neo4j with the password from the credentials file

Neo4j serves Bolt over TLS on port 7687 and the Neo4j Browser over HTTPS on 7473; plain HTTP 7474 stays bound to localhost. Replace the self-signed certificate in /var/lib/neo4j/certificates/ with a CA-signed one for production, then run sudo systemctl restart neo4j.